Malicious PDF — malware analysis report

Static analysis result for SHA-256 d0f3fd3e3d1ccade…

MALICIOUS

PDF

48.8 KB Created: 2020-08-13 07:41:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1afdf5fe49cd18ff9f5be251eca1fcd2 SHA-1: 0737497696d846386d2712b3673f057262047ce9 SHA-256: d0f3fd3e3d1ccade29a6fd8d56aee48a38274f5c85cfc849a58f6af1de2915f8
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many pointing to Shopify domains, which is indicative of a link farm. One critical heuristic identified a link to a known malicious redirector infrastructure at 'https://ttraff.cc/wb?keyword=short%20story%20in%20english%20for%20elementary%20students%20pdf'. The ML classifier also strongly flagged this PDF as malicious. The document body, though heavily obfuscated, contains URLs that are part of this link farm. The primary attack pattern appears to be SEO poisoning or redirecting users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wb?keyword=short%20story%20in%20english%20for%20elementary%20students%20pdf
    • http://files.shenangofire.com/uploads/1/3/1/6/131606094/gazawud.pdf
    • http://files.westviewdancetroupe.com/uploads/1/3/1/1/131164132/mumejolamumisu-kedalasovo.pdf
    • http://sigezazak.johnsonptsa.com/uploads/1/3/2/6/132695471/firoki-fisawilutakuxa-gapazitixujo.pdf
    • http://labij.togothillbc.com/uploads/1/3/1/3/131379530/bibomezon.pdf
    • https://cdn.shopify.com/s/files/1/0427/8901/1612/files/83736442417.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/25668779603.pdf
    • https://cdn.shopify.com/s/files/1/0430/2903/7219/files/39508870043.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/68905528383.pdf
    • https://cdn.shopify.com/s/files/1/0438/1714/0386/files/stardew_valley_miner_vs_geologist.pdf
    • https://cdn.shopify.com/s/files/1/0427/9356/6364/files/golaxulanesiwa.pdf
    • https://cdn.shopify.com/s/files/1/0429/5560/4121/files/autocad_electrical_2020_training_manual.pdf
    • https://cdn.shopify.com/s/files/1/0433/1634/7035/files/83097493714.pdf
    • https://cdn.shopify.com/s/files/1/0434/1714/1415/files/billie_jean_fingerstyle_guitar_tab.pdf
    • https://cdn.shopify.com/s/files/1/0431/5742/2240/files/59473588505.pdf
    • https://cdn.shopify.com/s/files/1/0432/6191/9390/files/xawujafa.pdf
    • https://cdn.shopify.com/s/files/1/0430/8421/8532/files/11222627598.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000073b8.bin
be89d7b6b5dc64d630602ad7cb9b6408fa3a43c91775d6b8caa6cde2e5e306e7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x73B8 5544 bytes
font_01_sfnt_off00008660.bin
4bc521d0428297c9ceb47996c8d3f4ee258583cc720e7323352297fc994dc71b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8660 9816 bytes
font_02_sfnt_off0000a7f1.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA7F1 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.